BSides London 2014 Presentation Highlights

Last week I had the pleasure of presenting at my first Security BSides London conference. Amidst the excitement of Infosec 14 and the chaos of the Tube strike, there were some excellent presentations and activities going on at BSides. Before diving in however, it is only appropriate to say a few words of thanks to the event organizers.

I can only imagine how hard it must have been to host an event complete with a lock-picking forum in a building full of priceless silver in locked display cases. Security BSides is a testament to the strength and dedication of the security community toward common goals of having fun while spreading knowledge.

With multiple speaking tracks, workshops, and competitions going on at any given time, there was simply too much for anyone to take it all in, so I’ve decided to recap some of my BSides London 2014 experience in this article.

Rafal Wojtczuk from Bromium labs, gave an interesting talk about the relative strength and weakness of various Windows end-point security solutions. Rafal’s presentation was of particular interest to me as my background is far more extensive in the realm of Linux exploit development and mitigation techniques than Windows kernel exploitation.

After reviewing some very basic information about protection rings and user versus kernel space, Rafal explained the principal of how an exploit is able to rewrite data in the kernel’s memory to elevate the context of attacker supplied code. There are a number of host-based protections which recognize and prevent these attempts.

Some anti-virus tools will simply recognize common shellcode patterns but this signature based approach is easily overcome by properly obfuscating shellcode or other elements identified by the AV tool. Other technologies such as Microsoft’s EMET look to recognize behavior associated with shellcode or return-oriented-programming (ROP) in user mode. (For those keeping track, back in February, another Bromium researcher made the considerable claim that virtually all EMET protections could be bypassed.)

According to Rafal, the major shortcoming of these systems is a failure to thwart kernel exploitation which can disable callbacks effectively blinding the host protections. In 2013 Microsoft fixed over 70 kernel vulnerabilities so the importance of understanding and protecting against kernel attacks is indisputable.

More effective protections must be implemented at a lower layer such as Supervisor Mode Execution Protection (SMEP) which is implemented at the CPU level as a means of preventing instructions stored in user space memory from executing while running in ring 0.

This approach is based on the assumption that it is not possible or feasible for an attacker to construct executable code in kernel pages and therefore the system is safe as long as the CPU does not run code from a user mode page when in ring 0. Unfortunately this is an incomplete assumption as it is possible to use kernel mode ROP chaining to clear the CPU’s SMEP bit, thereby allowing ring 0 execution of instructions stored in a user mode page.

Alternatively it is possible to get around SMEP using a kernel vulnerability to manipulate the system into ‘thinking’ that an executable page in user space is actually within the range of kernel space addresses. In order to demonstrate his findings, Rafal used the EPATHOBJ Windows kernel vulnerability (CVE-2013-3660) which was posted to the full disclosure mailing list last year.

Although he showed that sandbox technology such as what is used in Chrome and Sandboxie can be effective at limiting available exploit techniques, none of the tested sandboxes are 100% effective in the face of kernel exploitation. The most effective tool evaluated was McAfee DeepSAFE (DS) which operates at essentially the lowest level possible for a software security tool. DS acts as a hypervisor sitting between the Windows operating system and the actual hardware.

The goal of this approach is to make ring 0 less like ‘god mode’ with the ability to completely monitor and control all operations on the system. While DS is effective at catching some exploitation techniques missed by other higher level sandbox layers, it was also possible for Rafal to use the EPATHOBJ vulnerability for kernel mode escalation simply by crafting a payload which would not use methods protected by DS.

After hearing all the ways in which host protections can be bypassed it is easy to fall into the mental trap of thinking that these security measures are useless but the truth of the matter is that no security control will even be 100% impenetrable and reasonable cannot be maintained without a holistic approach complete with patching, scanning, host, and network protection layers.

There was also some interesting vulnerability research from MWR’s Robert Miller and Jon Butler. Miller’s talk, ‘Insecure Out of the box,’ explored vulnerability related to pre-loaded apps and customizations introduced by Android handset manufacturers.

Although the presentation was a bit light on technical details (for the sake of responsible disclosure) it definitely sheds some light on how these flagship (non-Nexus) devices could be rooted by an attacker positioned on the network such that they can man-in-the-middle plaintext web traffic destined to a WebView.

Miller explained that these problems tend to stem from the known JavaScript bridge vulnerabilities exposed in 2012 which allow web content access to internal Android APIs. Miller claims that most devices running Android prior to 4.2 are susceptible to this attack due to advertisements embedded in applications and fetched over HTTP rather than HTTPS. (It was also noted that some applications when presented with an SSL error would failover to plaintext HTTP making it that much easier to attack.)

Jon Butler’s unrelated research tackled the question of how to best identify vulnerability within a complex codebase such as the Chromium project. Butler actually leveraged Chrome’s use of clang to graph out call chains from complex asynchronous functions to find use-after-free vulnerabilities. Although this research clearly took quite a bit of effort, it is unfortunately not in a state where it is ready for release to the general public but I will certainly be keeping my ears to the ground for further news from his ninja project.

Arron “Finux” Finnon closed out the main track with ‘Finux’s Historical Tour Of IDS Evasion, Insertions, and Other Oddities,’ providing some interesting perspective on the progression and evolution of network protection technology as well as the security community as a whole.

Although I don’t have time to get into the specifics of his IDS/IPS research, I would like to take the time to reiterate one of his closing remarks. April 2014 was a tremendous month in our industry and a great opportunity for members at large of the security community to come together and really educate the public about why passwords need to die and what good security hygiene looks like.

Unfortunately (without naming any names) we instead saw heated debate and even public name calling making our industry seem as divided as ever. For our community to survive and even strive, we have to stop wasting energy bickering amongst ourselves and turn our attention to the serious problems we have in front of us.